1 //! Checks the licenses of third-party dependencies.
3 use cargo_metadata::{Metadata, Package, PackageId, Resolve};
4 use std::collections::{BTreeSet, HashSet};
7 /// These are licenses that are allowed for all crates, including the runtime,
9 const LICENSES: &[&str] = &[
16 "Apache-2.0 WITH LLVM-exception OR Apache-2.0 OR MIT", // wasi license
21 "0BSD OR MIT OR Apache-2.0", // adler license
22 "Zlib OR Apache-2.0 OR MIT", // tinyvec
23 "MIT OR Apache-2.0 OR Zlib", // tinyvec_macros
24 "MIT OR Zlib OR Apache-2.0", // miniz_oxide
25 "(MIT OR Apache-2.0) AND Unicode-DFS-2016", // unicode_ident
26 "Unicode-DFS-2016", // tinystr and icu4x
29 /// These are exceptions to Rust's permissive licensing policy, and
30 /// should be considered bugs. Exceptions are only allowed in Rust
31 /// tooling. It is _crucial_ that no exception crates be dependencies
32 /// of the Rust runtime (std/test).
33 const EXCEPTIONS: &[(&str, &str)] = &[
34 ("ar_archive_writer", "Apache-2.0 WITH LLVM-exception"), // rustc
35 ("mdbook", "MPL-2.0"), // mdbook
36 ("openssl", "Apache-2.0"), // cargo, mdbook
37 ("colored", "MPL-2.0"), // rustfmt
38 ("ryu", "Apache-2.0 OR BSL-1.0"), // cargo/... (because of serde)
39 ("bytesize", "Apache-2.0"), // cargo
40 ("im-rc", "MPL-2.0+"), // cargo
41 ("sized-chunks", "MPL-2.0+"), // cargo via im-rc
42 ("bitmaps", "MPL-2.0+"), // cargo via im-rc
43 ("fiat-crypto", "MIT OR Apache-2.0 OR BSD-1-Clause"), // cargo via pasetors
44 ("subtle", "BSD-3-Clause"), // cargo via pasetors
45 ("instant", "BSD-3-Clause"), // rustc_driver/tracing-subscriber/parking_lot
46 ("snap", "BSD-3-Clause"), // rustc
47 ("fluent-langneg", "Apache-2.0"), // rustc (fluent translations)
48 ("self_cell", "Apache-2.0"), // rustc (fluent translations)
49 // FIXME: this dependency violates the documentation comment above:
50 ("fortanix-sgx-abi", "MPL-2.0"), // libstd but only for `sgx` target
51 ("dunce", "CC0-1.0"), // cargo (dev dependency)
52 ("similar", "Apache-2.0"), // cargo (dev dependency)
53 ("normalize-line-endings", "Apache-2.0"), // cargo (dev dependency)
54 ("dissimilar", "Apache-2.0"), // rustdoc, rustc_lexer (few tests) via expect-test, (dev deps)
57 const EXCEPTIONS_CRANELIFT: &[(&str, &str)] = &[
58 ("cranelift-bforest", "Apache-2.0 WITH LLVM-exception"),
59 ("cranelift-codegen", "Apache-2.0 WITH LLVM-exception"),
60 ("cranelift-codegen-meta", "Apache-2.0 WITH LLVM-exception"),
61 ("cranelift-codegen-shared", "Apache-2.0 WITH LLVM-exception"),
62 ("cranelift-egraph", "Apache-2.0 WITH LLVM-exception"),
63 ("cranelift-entity", "Apache-2.0 WITH LLVM-exception"),
64 ("cranelift-frontend", "Apache-2.0 WITH LLVM-exception"),
65 ("cranelift-isle", "Apache-2.0 WITH LLVM-exception"),
66 ("cranelift-jit", "Apache-2.0 WITH LLVM-exception"),
67 ("cranelift-module", "Apache-2.0 WITH LLVM-exception"),
68 ("cranelift-native", "Apache-2.0 WITH LLVM-exception"),
69 ("cranelift-object", "Apache-2.0 WITH LLVM-exception"),
70 ("mach", "BSD-2-Clause"),
71 ("regalloc2", "Apache-2.0 WITH LLVM-exception"),
72 ("target-lexicon", "Apache-2.0 WITH LLVM-exception"),
73 ("wasmtime-jit-icache-coherence", "Apache-2.0 WITH LLVM-exception"),
76 const EXCEPTIONS_BOOTSTRAP: &[(&str, &str)] = &[
77 ("ryu", "Apache-2.0 OR BSL-1.0"), // through serde
80 /// These are the root crates that are part of the runtime. The licenses for
81 /// these and all their dependencies *must not* be in the exception list.
82 const RUNTIME_CRATES: &[&str] = &["std", "core", "alloc", "test", "panic_abort", "panic_unwind"];
84 /// Crates rustc is allowed to depend on. Avoid adding to the list if possible.
86 /// This list is here to provide a speed-bump to adding a new dependency to
87 /// rustc. Please check with the compiler team before adding an entry.
88 const PERMITTED_RUSTC_DEPENDENCIES: &[&str] = &[
101 "bumpalo", // Included in Cargo's dep graph but only activated on wasm32-*-unknown.
109 "convert_case", // dependency of derive_more
129 "fallible-iterator", // dependency of `thorin`
149 "icu_provider_adapters",
150 "icu_provider_macros",
159 "js-sys", // Included in Cargo's dep graph but only activated on wasm32-*-unknown.
183 "perf-event-open-sys",
225 "stable_deref_trait",
228 "subtle", // dependency of cargo (via pasetors)
244 "tracing-attributes",
247 "tracing-subscriber",
252 "unic-char-property",
258 "unic-langid-macros",
259 "unic-langid-macros-impl",
262 "unicode-normalization",
271 // vvv Included in Cargo's dep graph but only activated on wasm32-*-unknown.
273 "wasm-bindgen-backend",
274 "wasm-bindgen-macro",
275 "wasm-bindgen-macro-support",
276 "wasm-bindgen-shared",
277 // ^^^ Included in Cargo's dep graph but only activated on wasm32-*-unknown.
279 "winapi-i686-pc-windows-gnu",
281 "winapi-x86_64-pc-windows-gnu",
283 // this is a false-positive: it's only used by rustfmt, but because it's enabled through a
284 // feature, tidy thinks it's used by rustc as well.
294 const PERMITTED_CRANELIFT_DEPENDENCIES: &[&str] = &[
305 "cranelift-codegen-meta",
306 "cranelift-codegen-shared",
309 "cranelift-frontend",
333 "stable_deref_trait",
337 "wasmtime-jit-icache-coherence",
339 "winapi-i686-pc-windows-gnu",
340 "winapi-x86_64-pc-windows-gnu",
342 "windows_aarch64_msvc",
345 "windows_x86_64_gnu",
346 "windows_x86_64_msvc",
349 const FORBIDDEN_TO_HAVE_DUPLICATES: &[&str] = &[
350 // This crate takes quite a long time to build, so don't allow two versions of them
351 // to accidentally sneak into our dependency graph, in order to ensure we keep our CI times
356 /// Dependency checks.
358 /// `root` is path to the directory with the root `Cargo.toml` (for the workspace). `cargo` is path
359 /// to the cargo executable.
360 pub fn check(root: &Path, cargo: &Path, bad: &mut bool) {
361 let mut cmd = cargo_metadata::MetadataCommand::new();
362 cmd.cargo_path(cargo)
363 .manifest_path(root.join("Cargo.toml"))
364 .features(cargo_metadata::CargoOpt::AllFeatures);
365 let metadata = t!(cmd.exec());
366 let runtime_ids = compute_runtime_crates(&metadata);
367 check_license_exceptions(&metadata, EXCEPTIONS, runtime_ids, bad);
368 check_permitted_dependencies(
371 PERMITTED_RUSTC_DEPENDENCIES,
372 &["rustc_driver", "rustc_codegen_llvm"],
375 check_crate_duplicate(&metadata, FORBIDDEN_TO_HAVE_DUPLICATES, bad);
376 check_rustfix(&metadata, bad);
378 // Check rustc_codegen_cranelift independently as it has it's own workspace.
379 let mut cmd = cargo_metadata::MetadataCommand::new();
380 cmd.cargo_path(cargo)
381 .manifest_path(root.join("compiler/rustc_codegen_cranelift/Cargo.toml"))
382 .features(cargo_metadata::CargoOpt::AllFeatures);
383 let metadata = t!(cmd.exec());
384 let runtime_ids = HashSet::new();
385 check_license_exceptions(&metadata, EXCEPTIONS_CRANELIFT, runtime_ids, bad);
386 check_permitted_dependencies(
389 PERMITTED_CRANELIFT_DEPENDENCIES,
390 &["rustc_codegen_cranelift"],
393 check_crate_duplicate(&metadata, &[], bad);
395 let mut cmd = cargo_metadata::MetadataCommand::new();
396 cmd.cargo_path(cargo)
397 .manifest_path(root.join("src/bootstrap/Cargo.toml"))
398 .features(cargo_metadata::CargoOpt::AllFeatures);
399 let metadata = t!(cmd.exec());
400 let runtime_ids = HashSet::new();
401 check_license_exceptions(&metadata, EXCEPTIONS_BOOTSTRAP, runtime_ids, bad);
404 /// Check that all licenses are in the valid list in `LICENSES`.
406 /// Packages listed in `exceptions` are allowed for tools.
407 fn check_license_exceptions(
409 exceptions: &[(&str, &str)],
410 runtime_ids: HashSet<&PackageId>,
413 // Validate the EXCEPTIONS list hasn't changed.
414 for (name, license) in exceptions {
415 // Check that the package actually exists.
416 if !metadata.packages.iter().any(|p| p.name == *name) {
419 "could not find exception package `{}`\n\
420 Remove from EXCEPTIONS list if it is no longer used.",
424 // Check that the license hasn't changed.
425 for pkg in metadata.packages.iter().filter(|p| p.name == *name) {
430 "dependency exception `{}` does not declare a license expression",
434 Some(pkg_license) => {
435 if pkg_license.as_str() != *license {
436 println!("dependency exception `{name}` license has changed");
437 println!(" previously `{license}` now `{pkg_license}`");
438 println!(" update EXCEPTIONS for the new license");
446 let exception_names: Vec<_> = exceptions.iter().map(|(name, _license)| *name).collect();
448 // Check if any package does not have a valid license.
449 for pkg in &metadata.packages {
450 if pkg.source.is_none() {
451 // No need to check local packages.
454 if !runtime_ids.contains(&pkg.id) && exception_names.contains(&pkg.name.as_str()) {
457 let license = match &pkg.license {
458 Some(license) => license,
460 tidy_error!(bad, "dependency `{}` does not define a license expression", pkg.id);
464 if !LICENSES.contains(&license.as_str()) {
465 if pkg.name == "fortanix-sgx-abi" {
466 // This is a specific exception because SGX is considered
467 // "third party". See
468 // https://github.com/rust-lang/rust/issues/62620 for more. In
469 // general, these should never be added.
472 tidy_error!(bad, "invalid license `{}` in `{}`", license, pkg.id);
477 /// Checks the dependency of `restricted_dependency_crates` at the given path. Changes `bad` to
478 /// `true` if a check failed.
480 /// Specifically, this checks that the dependencies are on the `permitted_dependencies`.
481 fn check_permitted_dependencies(
484 permitted_dependencies: &[&'static str],
485 restricted_dependency_crates: &[&'static str],
488 // Check that the PERMITTED_DEPENDENCIES does not have unused entries.
489 for name in permitted_dependencies {
490 if !metadata.packages.iter().any(|p| p.name == *name) {
493 "could not find allowed package `{}`\n\
494 Remove from PERMITTED_DEPENDENCIES list if it is no longer used.",
499 // Get the list in a convenient form.
500 let permitted_dependencies: HashSet<_> = permitted_dependencies.iter().cloned().collect();
502 // Check dependencies.
503 let mut visited = BTreeSet::new();
504 let mut unapproved = BTreeSet::new();
505 for &krate in restricted_dependency_crates.iter() {
506 let pkg = pkg_from_name(metadata, krate);
508 check_crate_dependencies(&permitted_dependencies, metadata, &mut visited, pkg);
509 unapproved.append(&mut bad);
512 if !unapproved.is_empty() {
513 tidy_error!(bad, "Dependencies for {} not explicitly permitted:", descr);
514 for dep in unapproved {
520 /// Checks the dependencies of the given crate from the given cargo metadata to see if they are on
521 /// the list of permitted dependencies. Returns a list of disallowed dependencies.
522 fn check_crate_dependencies<'a>(
523 permitted_dependencies: &'a HashSet<&'static str>,
524 metadata: &'a Metadata,
525 visited: &mut BTreeSet<&'a PackageId>,
527 ) -> BTreeSet<&'a PackageId> {
528 // This will contain bad deps.
529 let mut unapproved = BTreeSet::new();
531 // Check if we have already visited this crate.
532 if visited.contains(&krate.id) {
536 visited.insert(&krate.id);
538 // If this path is in-tree, we don't require it to be explicitly permitted.
539 if krate.source.is_some() {
540 // If this dependency is not on `PERMITTED_DEPENDENCIES`, add to bad set.
541 if !permitted_dependencies.contains(krate.name.as_str()) {
542 unapproved.insert(&krate.id);
546 // Do a DFS in the crate graph.
547 let to_check = deps_of(metadata, &krate.id);
549 for dep in to_check {
550 let mut bad = check_crate_dependencies(permitted_dependencies, metadata, visited, dep);
551 unapproved.append(&mut bad);
557 /// Prevents multiple versions of some expensive crates.
558 fn check_crate_duplicate(
560 forbidden_to_have_duplicates: &[&str],
563 for &name in forbidden_to_have_duplicates {
564 let matches: Vec<_> = metadata.packages.iter().filter(|pkg| pkg.name == name).collect();
565 match matches.len() {
569 "crate `{}` is missing, update `check_crate_duplicate` \
570 if it is no longer used",
578 "crate `{}` is duplicated in `Cargo.lock`, \
579 it is too expensive to build multiple times, \
580 so make sure only one version appears across all dependencies",
584 println!(" * {}", pkg.id);
591 /// Returns a list of dependencies for the given package.
592 fn deps_of<'a>(metadata: &'a Metadata, pkg_id: &'a PackageId) -> Vec<&'a Package> {
593 let resolve = metadata.resolve.as_ref().unwrap();
597 .find(|n| &n.id == pkg_id)
598 .unwrap_or_else(|| panic!("could not find `{pkg_id}` in resolve"));
602 metadata.packages.iter().find(|pkg| pkg.id == dep.pkg).unwrap_or_else(|| {
603 panic!("could not find dep `{}` for pkg `{}` in resolve", dep.pkg, pkg_id)
609 /// Finds a package with the given name.
610 fn pkg_from_name<'a>(metadata: &'a Metadata, name: &'static str) -> &'a Package {
611 let mut i = metadata.packages.iter().filter(|p| p.name == name);
613 i.next().unwrap_or_else(|| panic!("could not find package `{name}` in package list"));
614 assert!(i.next().is_none(), "more than one package found for `{name}`");
618 /// Finds all the packages that are in the rust runtime.
619 fn compute_runtime_crates<'a>(metadata: &'a Metadata) -> HashSet<&'a PackageId> {
620 let resolve = metadata.resolve.as_ref().unwrap();
621 let mut result = HashSet::new();
622 for name in RUNTIME_CRATES {
623 let id = &pkg_from_name(metadata, name).id;
624 normal_deps_of_r(resolve, id, &mut result);
629 /// Recursively find all normal dependencies.
630 fn normal_deps_of_r<'a>(
631 resolve: &'a Resolve,
632 pkg_id: &'a PackageId,
633 result: &mut HashSet<&'a PackageId>,
635 if !result.insert(pkg_id) {
641 .find(|n| &n.id == pkg_id)
642 .unwrap_or_else(|| panic!("could not find `{pkg_id}` in resolve"));
643 for dep in &node.deps {
644 normal_deps_of_r(resolve, &dep.pkg, result);
648 fn check_rustfix(metadata: &Metadata, bad: &mut bool) {
649 let cargo = pkg_from_name(metadata, "cargo");
650 let compiletest = pkg_from_name(metadata, "compiletest");
651 let cargo_deps = deps_of(metadata, &cargo.id);
652 let compiletest_deps = deps_of(metadata, &compiletest.id);
653 let cargo_rustfix = cargo_deps.iter().find(|p| p.name == "rustfix").unwrap();
654 let compiletest_rustfix = compiletest_deps.iter().find(|p| p.name == "rustfix").unwrap();
655 if cargo_rustfix.version != compiletest_rustfix.version {
658 "cargo's rustfix version {} does not match compiletest's rustfix version {}\n\
659 rustfix should be kept in sync, update the cargo side first, and then update \
660 compiletest along with cargo.",
661 cargo_rustfix.version,
662 compiletest_rustfix.version
projects / rust.git / blob